b'\xe2\x80\xa2\n\x0c  Additional Information and Copies\n\n  To request copies of this report, contact Mr. James Graham (703) 604-8841)\n  (DSN 664-8841).\n\n  Suggestions for Future Audits and Evaluations\n\n  To suggest ideas for, or to request future audits and evaluations of Defense\n  intelligence issues, contact the Office of the Deputy Inspector General for\n  Intelligence at (703) 604-8800 (DSN 664-8800) or fax (703) 604-0045. Ideas and\n  requests can also be mailed to:\n\n               Office of the Deputy Inspector General for Intelligence\n               ODIG-INTEL (ATTN: Audit/Evaluation Suggestions)\n                     Department of Defense Inspector General\n                         400 Army Navy Drive (Room 703)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nATSD(IO)            Assistant to the Secretary of Defense for Intelligence Oversight\nCI                  Counterintelligence\nCIFA                Counterintelligence Field Activity\nDCIIS               Defense Counterintelligence Information System\nDIA                 Defense Intelligence Agency\nDIMA                Defense Intelligence Mission Area\nTALON               Threat and Local Observation Notice\nUSD(I)              Under Secretary of Defense for Intelligence\n\x0c                            INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                           May 11,2009\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR INTELLIGENCE\n              ASSISTANT TO THE SECRETARY OF DEFENSE\n                 FOR INTELLIGENCE OVERSIGHT\n\n\nSUBJECT: Report on Audit of Information Technology Portfolio for DoD Intelligence\n         Databases (Report No. 09-INTEL-07)\n\n\n       We are providing this report for review and comment.\n\n       Comments from the Under Secretary of Defense for Intelligence were not received\non the December 10, 2008, draft of this report. We request that management provide\ncomments that conform to the requirements of DoD Directive 7650.3. Please provide\ncomments by June 8, 2009.\n\n        If possible, please send management comments in electronic format (Adobe\nAcrobat file only) to Averel.Gregg@dodig.mil or iggreae@dodig.ic.gov. Copies of the\nmanagement comments must contain the actual signature of the authorizing official. We\ncannot accept the / Signed / symbol in place of the actual signature. If you arrange to\nsend classified comments electronically, they must be sent over the Joint Worldwide\nIntelligence Communications System (JWICS).\n\n        Management comments should indicate concurrence or nonconcurrence with each\napplicable finding and recommendation. Comments should describe actions taken or\nplanned in response to agreed-upon recommendations and provide the completion dates\nof the actions. State specific reasons for any nonconcurrence and propose alternative\nactions, if appropriate.\n\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Mr. Sean Mitchell at (703) 604-8815 (DSN 664-8815) or Mr. Averel E. Gregg at\n(703) 604-8965 (DSN 664-8965).\n\n\n\n\n                               G?~fiJt~  Patricia A. Brannin\n                                       Deputy Inspector General\n                                           for Intelligence\n\x0c\x0c       Department of Defense Office of Inspector General\n\nReport No. 09-Intel-07                                                        May 11, 2009\n  (Project No. D2008-DINT02-0055)\n\n             Audit of Information Technology Portfolio for DoD\n                           Intelligence Databases\n\n\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? All DoD officials and intelligence and\ncounterintelligence personnel who manage DoD databases should read this report.\n\nBackground. This report discusses DoD criteria and compliance with internal controls\nrelated to portfolio management for intelligence databases.\n\nDuring the briefing of DoD Inspector General Report No. 07-INTEL-09, \xe2\x80\x9cThe Threat and\nLocal Observation Notice Report Program,\xe2\x80\x9d June 27, 2007, the House Permanent Select\nCommittee on Intelligence suggested that the DoD Inspector General audit additional\nintelligence databases.\n\nResults. Office of the Under Secretary of Defense for Intelligence officials had not fully\nestablished the control mechanisms to effectively manage and oversee DoD databases for\nintelligence components in accordance with DoD regulations. Office of the Under\nSecretary of Defense for Intelligence officials had not established an intelligence\ntechnology portfolio; therefore, they did not have visibility into issues such as duplication\nof systems, facilities, and services; and system interoperability. As a result, officials\nwere unaware of the quantity and capabilities of intelligence databases maintained by\nagencies within the intelligence community responsible for data collection and\ndissemination. Under Secretary of Defense for Intelligence officials did not have:\n\n   \xef\x82\xb7   the capability to guarantee that the information collected, stored, and\n       disseminated by subordinate agencies were maintained in accordance with\n       applicable intelligence laws and DoD regulations;\n   \xef\x82\xb7   the information needed to identify gaps and opportunities for technology\n       insertions to enhance intelligence, counterintelligence, and security\n       responsibilities; and\n\n   \xef\x82\xb7   all the information needed to provide advice concerning acquisition programs that\n       significantly affected the Defense intelligence community.\n\nRecommendation 2 in the December 10, 2008, draft report was deleted because the\nOffice of the Under Secretary of Defense for Intelligence removed the Defense\nIntelligence Mission Area Portfolio Management Office from the Defense Intelligence\nAgency and incorporated that function into their Deputy Under Secretaries of Defense for\nPortfolio, Programs, and Resources office.\n\x0cRecommendations. We recommend that the Under Secretary of Defense for\nIntelligence:\n\n          \xef\x82\xb7   develop an intelligence information technology portfolio,\n\n          \xef\x82\xb7   assess all systems in the information technology portfolio to enhance the\n              management of those systems.\n\n      Client Comments. Under Secretary of Defense for Intelligence did not provide\n      comments to the draft of this report issued December 10, 2008.\n\n      Our Response. We request that the Under Secretary of Defense for Intelligence\n      comment on this report by June 8, 2009.\n\x0cTable of Contents\n\n\n\nExecutive Summary                              i\n\nBackground                                     1\n\nObjectives                                     3\n\nFinding\n\n     USD(I) Intelligence Database Oversight    4\n\nAppendixes\n     A. Scope and Methodology                 10\n     B. Mitre report                          12\n\x0c\x0cBackground\n    This report discusses DoD criteria and compliance with internal controls related\n    to information technology portfolio management for Intelligence Community\n    databases.\n    During the briefing of DoD Office of the Inspector General, (Report No. 07-\n    INTEL-09), \xe2\x80\x9cThe Threat and Local Observation Notice (TALON) Report\n    Program,\xe2\x80\x9d June 27, 2007, the House Permanent Select Committee on Intelligence\n    suggested that the DoD Inspector General audit additional intelligence databases.\n    The DoD Inspector General conducted the TALON audit in response to a\n    congressional request on media reports that DoD developed and maintained a\n    database for information on U.S. persons conducting domestic anti-war and\n    counter military protests and demonstrations. The audit found that the\n    Counterintelligence Field Activity (CIFA) and the U.S. Northern Command had\n    legally gathered and maintained TALON data for law enforcement and force\n    protection purposes; however, they did not comply with the information retention\n    criteria specified in DoD directives. The Deputy Secretary of Defense directed\n    the termination of the TALON reporting system effective September 17, 2007.\n    DoD Criteria. DoD Regulation, 5240.1-R, \xe2\x80\x9cProcedures Governing the Activities\n    of DoD Intelligence Components that Affect U.S. Persons,\xe2\x80\x9d dated December\n    1982, established procedures for collecting, retaining, and disseminating\n    information on U.S. persons. Specifically, DoD Regulation 5240.1-R defines\n    collected information as follows:\n           Information shall be considered as "collected" only when it has been\n           received for use by an employee of a DoD intelligence component in\n           the course of his official duties. Thus, information volunteered to a\n           DoD intelligence component by a cooperating source would be\n           "collected" under this procedure when an employee of such component\n           officially accepts, in some manner, such information for use within that\n           component. Data acquired by electronic means is "collected" only\n           when it has been processed into intelligible form.\n\n    DoD Directive 8115.02, \xe2\x80\x9cInformation Technology Portfolio Management\n    Implementation,\xe2\x80\x9d dated October 30, 2006, establishes policy and assigns\n    responsibilities for the management of DoD information technology investments\n    as portfolios that focus on improving DoD capabilities and mission outcomes.\n    DoD Directive 5148.11, \xe2\x80\x9cAssistant to the Secretary of Defense for Intelligence\n    Oversight (ATSD[IO]),\xe2\x80\x9d May 21, 2004, updates the responsibilities, functions,\n    relationships, and authorities of the Assistant to the Secretary of Defense for\n    Intelligence Oversight:\n           In the exercise of assigned responsibilities, the ATSD(IO) shall\n           develop intelligence oversight policy and, in coordination with the\n           General Counsel of the Department of Defense, issue intelligence\n           oversight guidance to the DoD Components, including regulatory\n           guidance\n\n\n\n\n                                              1\n\x0c            implementing intelligence oversight aspects of Executive Order\n            (E.O.) 12333 United States Intelligence Activities, dated\n            December 4, 1981.\n\n     DoD Manual 8115.01, \xe2\x80\x9cInformation Technology Portfolio Management,\xe2\x80\x9d\n     October 30, 2006, requires information technology investments be managed as\n     portfolios to ensure investments support the Department\xe2\x80\x99s vision, mission, and\n     goals; ensure efficient and effective delivery of capabilities to the warfighter; and\n     maximize return on investment to the enterprise. Each portfolio shall be managed\n     using the Global Infrastructure Grid, plans, risk management techniques,\n     capability goals and objectives, and performance measures. Portfolios shall be\n     nested and integrated at the Enterprise, Mission, and Component levels. The\n     Enterprise portfolio shall be divided into Mission Area portfolios, which includes\n     the DoD portion of intelligence. Portfolios shall be used as a management tool in\n     each of the Department\xe2\x80\x99s decision support systems including: the Joint\n     Capabilities Integration and Development System; the Planning, Programming,\n     Budgeting, and Execution System; and the Defense Acquisition System. The\n     Under Secretary of Defense for Intelligence (USD[I]) is the Mission Area lead for\n     the DoD portion of the Intelligence Portfolio. The USD(I) shall establish the\n     Defense Intelligence Mission Area (DIMA) portfolio and issue guidance for\n     managing the DIMA portfolio and designate responsibilities for DIMA portfolio\n     management.\n\n\nDefinitions\n     Data Repository. A specialized database containing information about data,\n     such as meaning, relationships to other data, origin, usage, and format, including\n     the information resources needed by an organization. (DoD 8320.1-M)\n\n     Database. A collection of interrelated data, often with controlled redundancy,\n     organized according to a schema to serve one or more applications; the data are\n     stored so that other programs without concern for the data structure or\n     organization can use them. A common approach is used to add new data, and\n     modify and retrieve existing data. (DoD 8320.1-M-1)\n\n     Information Technology. The term with respect to an executive agency means\n     any equipment or interconnected system or subsystem of equipment that is used\n     in the automatic acquisition, storage, manipulation, management, movement,\n     control, display, switching, interchange, transmission, and reception of data or\n     information. The term \xe2\x80\x9cinformation technology\xe2\x80\x9d includes computers, ancillary\n     equipment, software, firmware, and any similar procedures, services, and related\n     resources. (Chairman of the Joint Chief of Staff Instruction 8410.01)\n\n     Information Technology Portfolio. A grouping of information technology\n     investments by capability to accomplish a specific functional goal, objective, or\n     mission outcome. (DoDD 8115.01)\n\n     Information Technology Portfolio Management. The management of selected\n     groupings of information technology investments using strategic planning,\n     architectures, and outcome-based scoring criteria to achieve mission capability.\n     (Chairman of the Joint Chief of Staff Instruction 8410.01)\n                                           2\n\x0c    Portfolio. The collection of capabilities, resources and related investments that\n    are required to accomplish a mission-related or administrative outcome. A\n    portfolio includes outcomes, performance measures (mission, functional, or\n    administrative measures), and an expected return on investment. Resources\n    include people, money, facilities, weapons, information technology, other\n    equipment, logistics support, services, and information. Management activities\n    for the portfolio include strategic planning, capital planning, governance, process\n    improvements, performance metrics/measures, requirements generation,\n    acquisition/development, and operations (DoD 8115.02).\n\n    Schema. A definition of data structure. (FIPS 184)\n\n    Internal Schema. A schema of the American National Standards Institute\xe2\x80\x99s\n    Standard Planning and Requirements Committee\xe2\x80\x99s Three Schema Architecture, in\n    which views of information are represented in a form specific to the database\n    management system used to store the information; a description of the physical\n    structure of data. (FIPS 184)\n\n\nObjective\n    Our overall audit objective was to determine the extent that DoD intelligence and\n    counterintelligence (CI) components maintain databases that contain U.S. person\n    information. This report discusses control mechanisms for effective management\n    and oversight. See Appendix A for a discussion of the scope and methodology,\n    and prior audit coverage related to the objectives.\n\n\n\n\n                                         3\n\x0c                    USD(I) Intelligence Database Oversight\n                    OUSD(I) officials had not fully established the control mechanisms to\n                    effectively manage and oversee DoD databases for intelligence\n                    components in accordance with DoD regulations. OUSD(I) officials had\n                    not established an intelligence technology portfolio; therefore, they did not\n                    have visibility into issues such as duplication of systems, facilities, and\n                    services; and system interoperability. As a result, OUSD(I) officials were\n                    unaware of the quantity and capabilities of intelligence databases\n                    maintained by agencies within the intelligence community responsible for\n                    data collection and dissemination. In addition, OUSD(I) officials did not\n                    have:\n                        \xef\x82\xb7 the capability to guarantee that the information collected, stored,\n                            and disseminated by subordinate agencies were maintained in\n                            accordance with applicable intelligence laws and DoD regulations;\n                        \xef\x82\xb7 the information needed to identify gaps and opportunities for\n                            technology insertions to enhance intelligence, counterintelligence,\n                            and security responsibilities; and\n                        \xef\x82\xb7 all the information needed to provide advice concerning\n                            acquisition programs that significantly affected the Defense\n                            intelligence community.\n\nUSD(I) Program Oversight and Responsibilities\n           On April 18, 2003, the Secretary of Defense established the office of the Under\n           Secretary of Defense for Intelligence. The primary functions of the USD(I) are to\n           act as the principal assistant to the Secretary of Defense regarding intelligence;\n           exercise the authority, direction, and control over intelligence and intelligence-\n           related activities within the DoD; and serve as the single point of contact within\n           the DoD for other government agencies on intelligence matters.\n\n           USD(I) Program Oversight. DoD Directive 5143.01, \xe2\x80\x9cUnder Secretary of\n           Defense for Intelligence,\xe2\x80\x9d November 23, 2005, states that the USD(I) exercises\n           the Secretary of Defense\xe2\x80\x99s authority, direction, and control over the Defense\n           Agencies and DoD Field Activities that are Defense intelligence, CI, or security\n           components1 and exercises planning, policy, and strategic oversight over all DoD\n           intelligence, CI, and security policy, plans, and programs. In the performance of\n           this policy, the USD(I) shall:\n               \xef\x82\xb7 oversee DoD Intelligence Community policy, plans, programs, required\n                   capabilities, and resource allocations, which includes exercising\n                   responsibilities for DoD Components within the National Intelligence\n                   Program and the Military Intelligence Program;\n\n\n1\n    DoD Directive 5143.01 states that the Under Secretary of Defense for Intelligence shall exercise the\n    Secretary of Defense\xe2\x80\x99s authority, direct, direction, and control over the Defense Security Service,\n    Defense Intelligence Agency, National Geospatial-Intelligence Agency, National Security\n    Agency/Central Security Service, and the National Reconnaissance Office and other positions and\n    organizations as may be established by the USD(I).\n                                                       4\n\x0c                \xef\x82\xb7    develop and oversee DoD policy regarding the sharing of information\n                     consistent with applicable laws, regulations, and policies;\n                \xef\x82\xb7    serve as the focal point for all policy and oversight matters relating to\n                     intelligence information sharing and interoperability of Defense\n                     intelligence systems and processes;\n                \xef\x82\xb7    use existing systems, facilities, and services of DoD and other Federal\n                     Agencies to avoid duplication and to achieve maximum readiness,\n                     sustainability, economy, and efficiency; and\n\n                \xef\x82\xb7    identify gaps and opportunities for technology insertion to enhance\n                     intelligence, CI, and security capabilities.\n\n           DoD Directive 5143.01 states that for planning, programming, budgeting, and\n           execution matters, USD(I) shall support the Assistant Secretary of Defense for\n           Legislative Affairs and the Under Secretary of Defense (Comptroller) in\n           presenting, justifying, and defending intelligence, CI, and security programs and\n           budgets before the Congress as well as evaluating and assessing Congressional\n           activity for impact on all assigned areas of responsibility. That Directive further\n           states that, for acquisition matters, the USD(I) shall provide advice and assistance\n           to officials and entities within the U.S. Government concerning acquisition\n           programs that significantly affect Defense intelligence, CI, and security\n           components as well as intelligence, CI, and security programs.\n\n           USD(I) Program Responsibilities. DoD Directive 8115.01, \xe2\x80\x9cInformation\n           Technology Portfolio Management,\xe2\x80\x9d October 10, 2005, states that the USD(I)\n           shall serve as the mission area lead for the DoD portion of the intelligence\n           portfolio.2 The Directive tasked USD(I) with establishing the DIMA Portfolio as\n           well as issuing guidance and designating responsibilities for managing the DIMA\n           portfolio. DoD Instruction 8115.02, \xe2\x80\x9cInformation Technology Portfolio\n           Management Implementation,\xe2\x80\x9d October 30, 2006, states that USD(I) has\n           delegated responsibility for managing the DIMA portfolio to the Director,\n           Defense Intelligence Agency (DIA), but USD(I) retains final signature authority.\n           DIA established the DIMA Portfolio Management Office to manage the DIMA\n           portfolio.\n\nList of DoD Intelligence Databases\n           OUSD(I) did not have a list of DoD intelligence databases; therefore, OUSD(I)\n           officials were unaware of the quantity and content of the large repository/library\n           type of intelligence databases that contain source information maintained by DoD\n           intelligence components. On November 13, 2007, the USD(I) issued a\n           memorandum to the DoD intelligence components requesting that they provide a\n           point of contact by November 26, 2007. Each point of contact was responsible\n           for assembling a list and description of the database(s) that contain U.S. person\n\n2\n    According to DoDD 8115.01, an Information Technology Portfolio is a grouping of information\n    technology investments by capability to accomplish a specific functional goal, objective, or mission\n    outcome. DoDD 8115.01 does not provide an official definition for the phrase \xe2\x80\x9cIntelligence Portfolio;\xe2\x80\x9d\n    however, the specific functional goal described in this section relates to the collection of intelligence data\n    required for an Information Technology Portfolio.\n                                                         5\n\x0c    information maintained for intelligence, CI, law enforcement, or force protection\n    purposes; and identifying the organization that maintained each database. As of\n    October 22, 2008, OUSD(I) personnel had not located any responses to the\n    November 13, 2007, memorandum.\n\n    OUSD(I) officials and officials within the Intelligence Agencies requested\n    clarification on how the DoD IG defined the word \xe2\x80\x9cdatabase.\xe2\x80\x9d On\n    January 8, 2008, DoD IG made a distinction for this audit between the large\n    repository/library type databases and the databases created by analysts from\n    querying the large repository/library type database pertaining to a specific threat\n    category or topic. We view the databases created by analysts pertaining to a\n    specific threat category or topic as their \xe2\x80\x9cwork projects.\xe2\x80\x9d\n\n    The DIA\xe2\x80\x99s DIMA Portfolio Management Office was requested to provide a list of\n    existing DoD intelligence databases, a description of each database, the name of\n    the organization responsible for maintaining the database, and a database point of\n    contact maintained for intelligence, CI, law enforcement, or force protection\n    purposes. On December 20, 2007, the DIA\xe2\x80\x99s DIMA Portfolio Management\n    Office officials stated that a list of the universe of DoD intelligence and CI\n    databases containing U.S. person information was unavailable because the\n    organization had only been in existence since October 2006 and they had not\n    received a listing from OUSD(I). DoD Directive 5143.01 states that the USD(I)\n    shall provide support for presentations, justifications, and the defense of\n    intelligence budgets before Congress. Therefore, the DIA\xe2\x80\x99s DIMA Portfolio\n    Management Office personnel did not have the information needed to fulfill their\n    mission of managing the intelligence information technology portfolio.\n\n\nManagement and Oversight\n    OUSD(I) officials had not fully established the control mechanisms to effectively\n    manage and oversee DoD databases for intelligence components in accordance\n    with DoD regulations. Although DoD Directive 8115.01, October 10, 2005,\n    required the USD(I) to establish an intelligence information technology portfolio\n    and provide that portfolio to the DIA\xe2\x80\x99s DIMA Portfolio Management Office,\n    OUSD(I) officials did not establish an intelligence information technology\n    portfolio to enhance intelligence, CI, and security responsibilities. Therefore,\n    OUSD(I) officials did not have visibility into issues such as duplication of\n    systems, services, and facilities; system interoperability; and opportunities for\n    technology insertion. The development and effective management of a joint\n    intelligence operating system begins with the knowledge of available intelligence\n    databases owned and maintained by each member of the intelligence community\n    followed by an understanding of each database\xe2\x80\x99s capabilities.\n\n    Maintaining a directory of databases allows intelligence administrators to make\n    informed decisions regarding database acquisition and database consolidation\n    where applicable. Because USD(I) did not have a directory of databases, they)\n    could not:\n\n\n\n\n                                          6\n\x0c       \xef\x82\xb7   guarantee that the information collected, stored, and disseminated by\n           subordinate agencies were maintained in accordance with applicable\n           intelligence laws and DoD regulations;\n\n       \xef\x82\xb7   identify gaps and opportunities for technology insertions to enhance\n           intelligence, CI, and security responsibilities; and\n\n       \xef\x82\xb7   provide fully informed advice concerning acquisition programs that\n           significantly affect the Defense intelligence community.\n\n    There were no indications that the OUSD(I) ever considered identifying the\n    universe of primary databases/repositories maintained by the intelligence\n    community. The creation of an intelligence information technology portfolio that\n    includes database/repositories for each intelligence component is necessary when\n    considering intelligence community management and oversight, agency\n    interoperability, and financial intelligence community resource spending. The\n    OUSD(I) could also use the information technology portfolio to conduct a review\n    of intelligence systems similar to the one completed by CIFA.\n\n\nInformation Systems Assessment\n    A complete information technology portfolio of the DoD Intelligence\n    Community\xe2\x80\x99s intelligence systems and an assessment of those systems would\n    provide the OUSD(I) with the information needed to:\n        \xef\x82\xb7 improve management and oversight of the Defense intelligence\n            community, and\n        \xef\x82\xb7 provide fully informed decisions on budgeting, systems acquisitions,\n            systems interoperability, systems duplication, and systems data standards.\n    A review would help OUSD(I) identify gaps and opportunities for technology\n    insertions to enhance intelligence, CI, and security responsibilities. A review\n    would also help OUSD(I) develop data standards; a shared data architecture,\n    multi-tiered intelligence data architecture; and standards for a federated\n    application architecture framework to facilitate and foster the future sharing of\n    applications within the intelligence community. CIFA used such an assessment to\n    improve the management of the CI Community information technology portfolio.\n    On June 22, 2007, the MITRE Corporation (MITRE) issued a report in response\n    to a contract from the Director, CIFA, to complete two tasks:\n        \xef\x82\xb7 assess and review DoD systems providing automated support to the CI\n            community, and\n\n       \xef\x82\xb7   recommend a way ahead for the Defense Counterintelligence Information\n           System (DCIIS) program, specifically for the multitude of automation\n           systems currently in use to support the CI processes.\n\n    The MITRE review identified three issues within the CI community:\n       \xef\x82\xb7 a lack of standardization, not only at the information level, but also in data\n          and information exchange formats;\n\n                                         7\n\x0c       \xef\x82\xb7   insufficient interoperability and access because of disjointed CI data\n           across the community; and\n\n       \xef\x82\xb7   duplication of effort across the CI community as CIFA, the Services, and\n           DIA build and improve on information systems that provide overlapping\n           functionality.\n\n    DoD Directive O-5240.02, \xe2\x80\x9cCounterintelligence,\xe2\x80\x9d December 20, 2007, addressed\n    the MITRE findings. The Directive stated that DoD Components will use\n    USD(I)-approved CI information systems and architectures for DoD CI\n    management and reporting. The Directive also states that the USD(I) shall\n    \xe2\x80\x9cdesignate and approve all CI information systems and architectures to be used\n    for DoD CI management and reporting purposes.\xe2\x80\x9d See Appendix B for additional\n    information on the MITRE report.\n\nSummary\n    OUSD(I) officials need to improve control mechanisms so that they have better\n    visibility of the quantity and capabilities of intelligence databases/repositories\n    maintained by agencies within the intelligence community responsible for data\n    collection and dissemination. They also need to improve control mechanisms that\n    provide the information needed to (1) determine whether duplication of systems,\n    facilities, and services existed; (2) provide fully informed advice concerning\n    acquisition of information technology programs and systems; and (3) identify\n    gaps and opportunities for technology insertions to enhance intelligence, CI, and\n    security responsibilities. OUSD(I) officials need to establish an intelligence\n    information technology portfolio and use that portfolio to improver management\n    of intelligence information systems..\n\n\nRecommendation, Management Comments, and Our Response\n    We recommend that the Under Secretary of Defense for Intelligence:\n\n    1. Develop an intelligence information technology portfolio to include a list of all\n    systems currently used and systems in development, a description of the mission\n    and capabilities of each system, and a point-of-contact.\n\n    2. Assess all systems in the intelligence information technology portfolio to:\n\n       \xef\x82\xb7   determine whether duplication of systems, facilities, and services exist;\n       \xef\x82\xb7   identify gaps and opportunities for technology insertions;\n       \xef\x82\xb7   develop data standards,\n       \xef\x82\xb7   develop a shared data architecture,\n       \xef\x82\xb7   develop a multi-tiered intelligence data architecture, and\n       \xef\x82\xb7   develop standards for a federated application architecture framework to\n           facilitate and foster the future sharing of applications within the\n           intelligence community.\n\n\n\n                                         8\n\x0cAppendix A. Scope and Methodology\n   We conducted this performance audit from October 16, 2007, through\n   October 17, 2008, in accordance with generally accepted government auditing\n   standards. Those standards require that we perform the audit to obtain sufficient,\n   appropriate evidence to provide a reasonable basis for our findings and\n   conclusions.\n\n   We reviewed the management and oversight of DoD OUSD(I) provided for\n   intelligence databases. During December 2007 through September 2008, we\n   conducted multiple site visits to obtain a better understanding of intelligence\n   databases. We interviewed officials within the Office of Assistant to the\n   Secretary of Defense for Intelligence and Oversight; Joint Staff; Defense\n   Intelligence Agency; National Security Agency; National Geospatial-Intelligence\n   Agency; Naval Criminal Investigative Services; Office of Naval Intelligence; U.S.\n   Army Intelligence Security Command; National Reconnaissance Office; Air\n   Force Office of Special Investigations; and the Air Force Intelligence,\n   Surveillance, and Reconnaissance Agency. We requested that OUSD(I) and the\n   DIA\xe2\x80\x99s DIMA Portfolio Management Office provide a copy of the Intelligence\n   Information Technology Portfolio; however, they had not developed a portfolio.\n   We requested each member of the DoD Intelligence Community to provide a list\n   of databases they maintained or used to store intelligence, CI, and law\n   enforcement data.\n\n   During the audit, we applied relevant criteria, such as DoD Directive 5143.01,\n   DoD Directive 5240.1-R, DoD Directive 5240.02, DoD Directive 5148.11, and\n   DoD Instruction 8115.02.\n\n   Scope Limitation. On September 17, 2007, we issued a memorandum to the\n   USD(I) requesting a list of intelligence databases. Because USD(I) could not\n   provide a list, we announced the audit, on October 16, 2007, to the DoD\n   intelligence components with the intention of developing the universe list of\n   intelligence databases from which to select a sample. On November 13, 2007,\n   USD(I) issued a memorandum, \xe2\x80\x9cAudit of Department of Defense Intelligence\n   Database(s),\xe2\x80\x9d to the DoD intelligence components requiring a point of contact to\n   be provided by November 26, 2007. The memorandum required each point of\n   contact to be responsible for assembling a list and description of the database(s)\n   that contain U.S. person information maintained for intelligence,\n   counterintelligence, law enforcement, or force protection purposes; and\n   identifying the organization that maintains each database. As of October 7, 2008,\n   OUSD(I) still had not received a list of databases from the Intelligence\n   Community.\n\n   The difficulties encountered in trying to generate the universe list of DoD\n   intelligence databases from which to select the sample for the audit was not\n   completely settled. There was confusion on what type of databases we wanted\n   included in the request; therefore, on January 8, 2008, we made a distinction\n   between the large repositories/library type databases that would be the source data\n   for analysts\xe2\x80\x99 queries and databases created by analysts for their specific tasks.\n   Meeting with the DoD intelligence components, specifying the large\n   repository/library type databases, obtaining lists, and reviewing their policy and\n                                        9\n\x0c    procedures pertaining to U.S. person information have been a time consuming\n    endeavor. For that reason, we have chosen to issue this report addressing the\n    current management control condition.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n\nPrior Coverage\n    During the last 5 years, the Department of Defense Office of the Inspector\n    General (DoD OIG) issued two report discussing DoD databases that contain U.S.\n    person information.\n\nDoD OIG\n    DoD IG Report No. 07-INTEL-09, \xe2\x80\x9cThe Threat and Local Observation Notice\n    (TALON) Report Program,\xe2\x80\x9d June 27, 2007\n\n    DoD OIG Report No. 07-INTEL-14, \xe2\x80\x9cReview of Access to U.S. Persons Data by\n    the Space and Naval Warfare Systems Command,\xe2\x80\x9d September 28, 2007\n\n\n\n\n                                       11\n\x0c           Appendix B. MITRE Report\n           In June 2007, the CIFA initiated an assessment of the CI environment with the\n           objective of cataloging and potentially consolidating CI databases. The following\n           assessment demonstrates a successful attempt at reaching uniformity throughout\n           the intelligence community.\n\n           On June 22, 2007, the MITRE Corporation (MITRE) issued a report in response\n           to a request from the Director, CIFA, to complete two tasks:\n               \xef\x82\xb7 assess and review DoD systems providing automated support to the CI\n                   community, and\n               \xef\x82\xb7 recommend a way ahead for the DCIIS program, specifically for the\n                   multitude of automation systems currently in use to support the CI\n                   processes.\n\n           The goal of the DCIIS assessment was to provide an independent, objective\n           evaluation on the capabilities of automated tools currently in use or in\n           development for use across the CI community. The assessment also included a\n           high-level gap analysis to highlight the capabilities that existed at the time to meet\n           the needs of the CI community and identify shortfalls in current automated\n           capabilities. For the DCIIS assessment, CIFA asked each CI community\n           organization to identify current or near-current systems that are in use to support\n           CI processes and that satisfy all or a portion of the requirements identified as\n           evaluation factors in the review. CIFA asked MITRE to include available\n           capabilities or capabilities projected to be available through testing by\n           December 2007.\n\n           The MITRE assessment team reviewed 14 CI systems owned by 5 intelligence\n           community members.3 MITRE representatives met with representatives from\n           each CI agency to discuss and further refine the evaluation factors and then\n           prepared a report documenting the assessment criteria, assumptions about specific\n           criteria, the scoring guidance, and the approach used to collect the evidence to\n           score each system. Based on their discussions, issues within the CI community\n           included:\n\n               \xef\x82\xb7    a lack of standardization, not only at the information level, but in data and\n                    information exchange formats;\n\n               \xef\x82\xb7    insufficient interoperability and access as a result of disjointed CI data\n                    across the community; and\n\n               \xef\x82\xb7    duplication of effort across the CI community as CIFA, the Services, and\n                    DIA build and improve on information systems that provide overlapping\n                    functionality.\n\n\n\n3\n    The five intelligence community member organizations included in the MITRE DCIIS assessment\n    included the Air Force Office of Special Investigations (four CI systems), CIFA (three systems), DIA\n    (one system), Naval Criminal Investigative Service (five systems), and United States Army (one system).\n                                                     12\n\x0cThe MITRE assessment team collected information about each of the 14 systems\nand generated five assessment reports, one for each system or suite of systems.\nThe assessment team then conducted a functional and a technical assessment of\neach system. During the functional assessment, MITRE analyzed the information\ncontained within the five assessment reports and compared the systems based on\nthe following categories:\n\n   \xef\x82\xb7 counterintelligence collections,\n   \xef\x82\xb7 counterintelligence investigations,\n   \xef\x82\xb7 offensive counterintelligence operations,\n   \xef\x82\xb7 counterintelligence analysis and production,\n   \xef\x82\xb7 counterintelligence functional services, and\n   \xef\x82\xb7 non-offensive counterintelligence operations.\nThe technical assessment of each system was based on the following categories:\n\n   \xef\x82\xb7   general system and performance requirements,\n   \xef\x82\xb7   human factors requirements,\n   \xef\x82\xb7   information technology requirements,\n   \xef\x82\xb7   DoD information technology compliance,\n   \xef\x82\xb7   operations and maintenance of the system, and\n   \xef\x82\xb7   training.\n\nAccording to the MITRE assessment, although CIFA had developed and deployed\nits program as the intelligence community\xe2\x80\x99s CI information system, the Army,\nNavy, Air Force, and DIA had concurrently developed and deployed information\nsystems that supported their individual CI missions and responsibilities. After\nconsidering both the functional and technical assessments of each of the\n14 information systems, MITRE could not identify a definitive winner among the\ninformation systems assessed. According to their evaluation, different systems\nexcelled in providing different user capabilities, more robust architectures, or\nmore intuitive user interfaces. The MITRE assessment team recognized that\nsome duplication of effort was expected due to the existence of centers of\nexcellence in the CI community for various tools, services, or architectures. The\nMITRE assessment team observed that a regular process to identify and connect\nthe information systems that supported the Defense CI community did not exist.\n\nMITRE\xe2\x80\x99s recommendations focused on system standardization (developing\nstandards across the CI community); promoting a shared data architecture\n(improving CI data access across the CI community, security domains, and the\nDoD); and creating a federated application architecture (one that would improve\nease of use, improve system functionality, and develop future capabilities, i.e.,\ntechnology and tool enhancement). The MITRE presentation contained the\nfollowing conclusions:\n    \xef\x82\xb7 a community of semi-autonomous, dynamic CI entities will persist;\n    \xef\x82\xb7 CIFA should not attempt to build and operate a central CI information\n        system that all CI users are expected to use exclusively to perform their\n        mission; and\n\n\n\n\n                                    13\n\x0c   \xef\x82\xb7   facilitate and foster the future sharing of applications within the CI\n       community, CIFA should focus on developing data standards, a shared,\n       multi-tiered CI data architecture, and standards for a federated application\n       architecture framework.\n\nOn December 20, 2007, DoD Directive O-5240.02, \xe2\x80\x9cCounterintelligence,\xe2\x80\x9d stated\nthat DoD Components will use USD(I)-approved CI information systems and\narchitectures for DoD CI management and reporting. In addition, the USD(I)\nshall, \xe2\x80\x9cdesignate and approve all CI information systems and architectures to be\nused for DoD CI management and reporting purposes.\xe2\x80\x9d The directive also states\nthat the Director, CIFA, shall, \xe2\x80\x9cdevelop, manage, and maintain the DoD CI\nmanagement and reporting information systems and architectures;\xe2\x80\x9d as well as,\n\xe2\x80\x9cexercising CI mission tasking authority to ensure the effective integration and\nsynchronization of the DoD CI community.\xe2\x80\x9d On January 31, 2008, USD(I) issued\na memorandum stating that in accordance with DoD Directive O-5240.02, Portico\n(the CIFA/Defense Intelligence Agency CI information system) will be the DoD\ninformation system for all CI reporting within the DoD no later than June 1, 2008.\n\n\n\n\n                                    14\n\x0c\x0c\x0c'